Description

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/07/27/1

https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2686

Related Vulnerabilities

CVE-2019-17513 Vulnerability in maven package io.ratpack:ratpack-core

CVE-2023-5654 Vulnerability in npm package react-devtools-core

CVE-2023-46659 Vulnerability in maven package org.jenkins-ci.plugins:trac

CVE-2020-26870 Vulnerability in maven package org.webjars.bowergithub.cure53:dompurify

CVE-2020-2219 Vulnerability in maven package org.jenkins-ci.plugins:link-column

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory